0

I have a Windows 2003 web server sitting behind a Cisco Pix 515 firewall. HTTP access is fine, but I can't make FTP access to work.

The configuration I'm trying:

fixup protocol ftp 20
static (inside,outside) <external-IP> <internal-IP> netmask 255.255.255.255 0 0
conduit permit tcp host <external-IP> eq www any
conduit permit tcp host <external-IP> eq ftp-data any
conduit permit tcp host <external-IP> eq ftp any

I also tried "fixup protocol ftp 21" and "no fixup protocol 20"; as they didn't work, I removed them.

It connects successfully, I type my username and password just fine. When I try any command I get:

C:\>ftp <server-name>
Connected to <server-name>.
220 Microsoft FTP Service
User (<server-name>:(none)): <username>
331 Password required for <username>.
Password:
230 User <username> logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

And it sits there forever. I can see on eventvwr that the server drops the connection after the time-out I configured is reached.

If I try from Internet Explorer I get a message box:

200 Type set to A
500 Invalid PORT command
500 'LPRT 6,16,0,0,0,0,0,0,0,0,9,4,0,0,0,0,34,113,2,6,71': command not understood

FTP to this server from inside my LAN works fine.

Can anyone help me? Thanks a lot!

1 Answers1

1

Remove:

fixup protocol ftp 20

and just add:

fixup protocol ftp

without a port number. A port number is not needed. In addition to this, you may need to issue a clear xlate for it to take effect right away...however, this will disconnect any/all active connections (and can cause other issues).

Edited to add:

As Zephyr asked in comments above, it is important to know what version of PIX software you're running as Cisco replaced fixup with inspect.

GregD
  • 8,713
  • 1
  • 24
  • 36
  • He said : "I also tried "fixup protocol ftp 21" and "no fixup protocol 20"; as they didn't work, I removed them.". I made the same answer before reding the question a second time ;) – radius Jul 15 '09 at 14:14
  • But I also suspect that he did this and tried them right away before trying clear xlate. – GregD Jul 15 '09 at 14:17
  • When I try "fixup protocol ftp" it returns an error message: "usage: [no] fixup protocol [-]" –  Jul 15 '09 at 14:41
  • I googled clear xlate and I don't think it is necessary because the command "static (inside,outside) netmask 255.255.255.255 0 0" was already in place –  Jul 15 '09 at 14:45
  • What does a "show fixup" return? – GregD Jul 15 '09 at 16:40
  • GregD, it returns: fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 no fixup protocol smtp 25 fixup protocol ftp 20 –  Jul 15 '09 at 16:42
  • Try these commands in this order: no fixup protocol ftp 20 | fixup protocol ftp 21 – GregD Jul 15 '09 at 16:48
  • Also, is your FTP site setup to accept all incoming IP addresses or specific ones (like your internal ones)? – GregD Jul 15 '09 at 16:49
  • GregD, now "show fixup" shows: fixup protocol http 80 fixup protocol h323 1720 | fixup protocol rsh 514 | fixup protocol sqlnet 1521 | no fixup protocol smtp 25 | fixup protocol ftp 21 | but it's still not working. Thanks anyway! –  Jul 15 '09 at 16:50
  • GregD, my FTP site allows any IP address to connect to it; I can connect, but I can't even see its contents (dir) or upload/download any file (put/get). IIS shows I'm connected. –  Jul 15 '09 at 16:53
  • What FTP client are you using? Have you tried active vs. passive ftp on your client outside of the firewall? – GregD Jul 15 '09 at 16:58
  • I tried using both ftp.exe and Internet Explorer to access the ftp site. –  Jul 15 '09 at 17:05
  • GregD, I tried using FileZilla and it's working. How strange. –  Jul 15 '09 at 17:13